docs(oidc): adjust client secret information (#4211)

2022-10-20 15:27:09 +11:00 · 2022-10-20 15:27:09 +11:00 · 9e29295bdf
parent 248f1d49d4
commit 9e29295bdf
19 changed files with 182 additions and 58 deletions
--- a/docs/content/en/configuration/identity-providers/open-id-connect.md
+++ b/docs/content/en/configuration/identity-providers/open-id-connect.md
@ -352,12 +352,10 @@ A friendly description for this client shown in the UI. This defaults to the sam
 {{< confkey type="string" required="situational" >}}

 The shared secret between Authelia and the application consuming this client. This secret must match the secret
-configured in the application. This can either be stored in plain text (by prefixing the plain text secret with
-`$plaintext$` or can be a hashed password generated with
-[authelia crypto hash](../../reference/cli/authelia/authelia_hash-password.md).
+configured in the application.

 This secret must be generated by the administrator and can be done by following the
-[Generating a Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) guide.
+[Generating Client Secrets](../../integration/openid-connect/specific-information.md#generating-client-secrets) guide.

 This must be provided when the client is a confidential client type, and must be blank when using the public client
 type. To set the client type to public see the [public](#public) configuration option.
--- a/docs/content/en/integration/openid-connect/apache-guacamole/index.md
+++ b/docs/content/en/integration/openid-connect/apache-guacamole/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/argocd/index.md
+++ b/docs/content/en/integration/openid-connect/argocd/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/bookstack/index.md
+++ b/docs/content/en/integration/openid-connect/bookstack/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md
+++ b/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md
@ -20,9 +20,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/gitea/index.md
+++ b/docs/content/en/integration/openid-connect/gitea/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/gitlab/index.md
+++ b/docs/content/en/integration/openid-connect/gitlab/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/grafana/index.md
+++ b/docs/content/en/integration/openid-connect/grafana/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/harbor/index.md
+++ b/docs/content/en/integration/openid-connect/harbor/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/hashicorp-vault/index.md
+++ b/docs/content/en/integration/openid-connect/hashicorp-vault/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/komga/index.md
+++ b/docs/content/en/integration/openid-connect/komga/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/nextcloud/index.md
+++ b/docs/content/en/integration/openid-connect/nextcloud/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/outline/index.md
+++ b/docs/content/en/integration/openid-connect/outline/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/portainer/index.md
+++ b/docs/content/en/integration/openid-connect/portainer/index.md
@ -24,9 +24,14 @@ aliases:

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/proxmox/index.md
+++ b/docs/content/en/integration/openid-connect/proxmox/index.md
@ -22,15 +22,20 @@ aliases:
 * [Proxmox]
  * 7.1-10

-## Before You Begin
+### Common Notes

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Specific Notes

 *__Important Note:__ [Proxmox] requires you create the Realm prior to adding the provider. This is not covered in this
 guide.*

+### Assumptions
+
 This example makes the following assumptions:

 * __Application Root URL:__ `https://proxmox.example.com`
--- a/docs/content/en/integration/openid-connect/seafile/index.md
+++ b/docs/content/en/integration/openid-connect/seafile/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/specific-information.md
+++ b/docs/content/en/integration/openid-connect/specific-information.md
@ -0,0 +1,39 @@
+---
+title: "Specific Information"
+description: "Specific information regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party"
+lead: "Specific information regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party."
+date: 2022-06-15T17:51:47+10:00
+draft: false
+images: []
+menu:
+  integration:
+    parent: "openid-connect"
+weight: 615
+toc: true
+---
+
+## Generating Client Secrets
+
+We strongly recommend the following guidelines for generating client secrets:
+
+1. Each client should have a unique secret.
+2. Each secret should be randomly generated.
+3. Each secret should have a length above 40 characters.
+4. The secrets should be stored in the configuration in a supported hash format. *__Note:__ This does not mean you
+   configure the relying party / client application with the hashed version, just the secret value in the Authelia
+   configuration.*
+5. Secrets should only have alphanumeric characters as some implementations do not appropriately encode the secret
+   when using it to access the token endpoint.
+
+Authelia provides an easy way to perform such actions via the [authelia crypto hash generate] command. Users can
+perform a command such as `authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72` command to
+both generate a client secret with 72 characters which is printed and is to be used with the relying party and hash it
+using PBKDF2 which can be stored in the Authelia configuration.
+
+[authelia crypto hash generate]: ../../reference/cli/authelia/authelia_crypto_hash_generate.md
+
+### Plaintext
+
+Authelia supports storing the plaintext secret in the configuration. This may be discontinued in the future. Plaintext
+is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret
+does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated.
--- a/docs/content/en/integration/openid-connect/synapse/index.md
+++ b/docs/content/en/integration/openid-connect/synapse/index.md
@ -22,9 +22,14 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Assumptions

 This example makes the following assumptions:

--- a/docs/content/en/integration/openid-connect/synology-dsm/index.md
+++ b/docs/content/en/integration/openid-connect/synology-dsm/index.md
@ -22,13 +22,20 @@ community: true

 ## Before You Begin

-You are required to utilize a unique client id and a unique and random client secret for all [OpenID Connect] relying
-parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also
-choose to utilize a different client id, it's completely up to you.
+### Common Notes
+
+1. You are *__required__* to utilize a unique client id for every client.
+2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
+3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
+   [Generating Client Secrets] guide instead.
+
+### Specific Notes

 *__Important Note:__ [Synology DSM] does not support automatically creating users via [OpenID Connect]. It is therefore
 recommended that you ensure Authelia and [Synology DSM] share a LDAP server.*

+### Assumptions
+
 This example makes the following assumptions:

 * __Application Root URL:__ `https://dsm.example.com/`
@ -69,7 +76,7 @@ which will operate with the above example:
 ```yaml
 - id: synology-dsm
  description: Synology DSM
-  secret: synology-dsm_client_secret
+  secret: '$plaintext$synology-dsm_client_secret'
  public: false
  authorization_policy: two_factor
  redirect_uris: